Channels

Services

Warning on critical Java hole

Java launches arbitrary processes when the test page is accessed. In the real world, the system would have been infected with malicious code

The current version of Java contains a serious security hole that allows computers to be infected with malicious code when a specially crafted web page is visited. The hole is already being exploited in the wild – although currently only for targeted attacks. But since an exploit is now in circulation, it shouldn't be long before criminals exploit the vulnerability for large-scale attack waves.

The H's associates at heise Security have managed to recreate the problem and have built a proof-of-concept page using information that is publicly available. When the page is accessed, the Java plugin executes a process, in this case calc.exe, without requesting any prior confirmation. Instead of launching the calculator, the web page could have downloaded and executed a malicious program.

Small effort with a large security gain: in Firefox, disable Java in the Add-ons menu under Plugins

All versions of the 7.x branch of Java are affected. In tests, the exploit worked under Windows with all popular browsers including Google Chrome. This conclusion disproves the findings of DeepEnd Research's security experts, who said that the vulnerability can't be exploited under Chrome. Those who have Java installed on their systems should disable the browser plugin – at least until Oracle has released a patch.

It is also worth considering whether to put the Java browser plugin out to pasture for good. After all, coming across a web page that uses Java for legitimate purposes is rather unlikely these days. A secondary browser can be installed for accessing web pages that can't avoid using Java. Local Java applications will still start normally when the plugin is disabled.

The targeted attacks that have been registered so far have exploited the hole to install the Poison Ivy trojan. The malware for these attacks is hosted on a server in Singapore. Oracle has not yet commented on the problem; at present, it is therefore unknown when the vulnerability will be fixed. The next regular Java update is scheduled to be released on 16 October.